Skip to content
Snippets Groups Projects
  1. Apr 19, 2024
  2. Apr 27, 2023
  3. Apr 17, 2023
    • Eneas U de Queiroz's avatar
      openssl: fix CVE-2023-464 and CVE-2023-465 · f8282da1
      Eneas U de Queiroz authored
      
      Apply two patches fixing low-severity vulnerabilities related to
      certificate policies validation:
      
      - Excessive Resource Usage Verifying X.509 Policy Constraints
        (CVE-2023-0464)
        Severity: Low
        A security vulnerability has been identified in all supported versions
        of OpenSSL related to the verification of X.509 certificate chains
        that include policy constraints.  Attackers may be able to exploit
        this vulnerability by creating a malicious certificate chain that
        triggers exponential use of computational resources, leading to a
        denial-of-service (DoS) attack on affected systems.
        Policy processing is disabled by default but can be enabled by passing
        the `-policy' argument to the command line utilities or by calling the
        `X509_VERIFY_PARAM_set1_policies()' function.
      
      - Invalid certificate policies in leaf certificates are silently ignored
        (CVE-2023-0465)
        Severity: Low
        Applications that use a non-default option when verifying certificates
        may be vulnerable to an attack from a malicious CA to circumvent
        certain checks.
        Invalid certificate policies in leaf certificates are silently ignored
        by OpenSSL and other certificate policy checks are skipped for that
        certificate.  A malicious CA could use this to deliberately assert
        invalid certificate policies in order to circumvent policy checking on
        the certificate altogether.
        Policy processing is disabled by default but can be enabled by passing
        the `-policy' argument to the command line utilities or by calling the
        `X509_VERIFY_PARAM_set1_policies()' function.
      
      Note: OpenSSL also released a fix for low-severity security advisory
      CVE-2023-466.  It is not included here because the fix only changes the
      documentation, which is not built nor included in any OpenWrt package.
      
      Due to the low-severity of these issues, there will be not be an
      immediate new release of OpenSSL.
      
      Signed-off-by: default avatarEneas U de Queiroz <cotequeiroz@gmail.com>
      f8282da1
  4. Apr 15, 2023
  5. Apr 13, 2023
  6. Apr 09, 2023
  7. Mar 30, 2023
  8. Mar 29, 2023
  9. Mar 27, 2023
  10. Mar 04, 2023
    • Christian Lamparter's avatar
      ca-certificates: fix python3-cryptography woes in certdata2pem.py · 23c86d44
      Christian Lamparter authored
      This patch is a revert of the upstream patch to Debian's ca-certificate
      commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.")
      
      The reason is, that this change broke builds with the popular
      Ubuntu 20.04 LTS (focal) releases which are shipping with an
      older version of the python3-cryptography package that is not
      compatible.
      
      |Traceback (most recent call last):
      |  File "certdata2pem.py", line 125, in <module>
      |    cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
      |TypeError: load_der_x509_certificate() missing 1 required positional argument: 'backend'
      |make[5]: *** [Makefile:6: all] Error 1
      
      ...or if the python3-cryptography was missing all together:
      |Traceback (most recent call last):
      |  File "/certdata2pem.py", line 31, in <module>
      |    from cryptography import x509
      |ModuleNotFoundError: No module named 'cryptography'
      
      More concerns were raised by Jo-Philipp Wich:
      "We don't want the build to depend on the local system time anyway.
      Right now it seems to be just a warning but I could imagine that
      eventually certs are simply omitted of found to be expired at
      build time which would break reproducibility."
      
      Link: <https://github.com/openwrt/openwrt/commit/7c99085bd697
      
      >
      Reported-by: default avatarChen Minqiang <ptpt52@gmail.com>
      Reported-by: default avatarShane Synan <digitalcircuit36939@gmail.com>
      Signed-off-by: default avatarChristian Lamparter <chunkeey@gmail.com>
      (cherry picked from commit 25bc66eb)
      23c86d44
Loading